Elibomi, a new Android malware, has been targeting taxpayers in India through an app pretending to be a tax-filing application. According to a blog post by the McAfee Mobile Research Team, who were the first to confirm the existence of Elibomi, the malware has the capabilities to steal sensitive private and financial information of individuals using the malicious android app via phishing attacks.
“We have identified two main campaigns that used different fake app themes to lure in taxpayers. The first campaign from November 2020 pretended to be a fake IT certificate application while the second campaign, first seen in May 2021, used the fake tax-filing theme. With this discovery, the McAfee Mobile Research team has been able to update McAfee Mobile Security so that it detects this threat as Android/Elibomi and alerts mobile users if this malware is present in their devices.”
via the McAfee Labs blog post released on September 3rd, 2021
It is reported that Elibomi also exposes the stolen information to anyone on the internet. The stolen sensitive information includes e-mail addresses, phone numbers, SMS/MMS messages, amongst other financial and personal, identifiable information.
More about Elibomi and the app
The app itself which is called iMobile, as shown above, pretends to be an app from the Income Tax Department of India. According to McAfee, this app is the source of the most recent version of the Elibomi campaign, complete with the logo of the Income Tax Department to trick users into trusting it. McAfee reports that this particular campaign has been active since May 2021.
As soon as the app is opened, it quickly asks the user to grant the necessary permissions to access the user’s SMS service and become the default messaging app on the user’s device.
After all the “necessary” permissions have been granted, Elibomi attempts to collect all the personal information of the user like his/her e-mail address, phone number, etc. The process of how Elibomi steals SMS messages from a user’s device can be seen below:
Elibomi asks users to enter their PAN (Permanent Account Number) details along with their registered mobile numbers. The app even proceeds to ask for net-banking credentials, and debit and credit card information from its users.
With the kind of information Elibomi can extract from affected devices, the victims of the malware are prone to so many threats. Since Elibomi can even become the default messaging app on your device, hackers can even use the malware to, not only steal your text messages, but also send text messages to premium-rate telephone numbers, without the knowledge of the victims. In such cases, the victim pays the bill and the scammers pocket the money.
In this case, Elibomi also not only exposes the stolen SMS messages, but even captures and exposes all the accounts logged into the victim’s device. According to McAfee’s investigation, some versions of the app only have the initial login page, while other versions go to the extent of having the option to register and request a fake tax refund; making it as realistic as possible.
The current situation
According to cybersecurity firm Cyble,
“Indian taxpayers are being targeted explicitly via mobile applications, phishing emails, and smishing, especially during the pandemic. “
Elibomi is yet another example of the effectiveness of personalized phishing attacks that deceive users into installing malware onto a certain device. There have already been several reports of phishing reports that have plagued India over the last 2 years. India already ranks 3rd amongst the top 20 countries that are victims of cybercrimes, according to the Internet Crime Report for 2019. Especially in the time of the pandemic where the dependence on technology has become more than ever, incidents such as SideCopy’s attacks on Indian government personnel have become very common.
As for Elibomi, It is also clear why the hackers chose to do this on Android devices. Android phones are always at a greater risk of being infected with malware because of the freedom Google gives Android users, as opposed to the strict privacy norms that Apple follows.
The McAfee team has stated that, at the time of writing their report, they have reported the servers exposing the data and the exposed information is no longer available.
Add Comment